Semi

By Jeffrey Rothfeder |
Posted 09-09-2005

Pressure Increases, but CIOs Still Struggle to Stop Identity Theft

It's been a bad year for privacy.

Since February, when identity thieves conned data aggregator ChoicePoint Inc. out of 145,000 personal records that contained Social Security numbers, addresses and credit accounts, there have been upward of 60 incidents involving lost or stolen confidential data, affecting more than 50 million individual files.

The largest occurred in June, when information from 40 million MasterCard and Visa credit accounts was stolen by hackers who broke into the network of third-party transaction processor CardSystems Solutions Inc. Most of the other episodes pale in comparison, but they're just as potentially harmful to the people whose data was compromised.

But of all the recent, high-profile mishaps, a series of relatively minor incidents has, surprisingly, riled many security experts the most.

The first was in February, when Bank of America Corp. revealed that credit-card information on 1.2 million federal employees had been mislaid en route to a storage facility. A month later, a container of backup computer tapes containing personal information on 600,000 current and former Time Warner Inc. employees was lost in transit between New York City and a storage facility in New Jersey.

On the tapes were Social Security numbers and other data pertaining to such company celebrities as former CEO Jerry Levin and former Chairman Steve Case. Soon after that, backup customer account files belonging to City National Bank, in Los Angeles, also disappeared after they had been put on a truck for shipment to a data repository.

Each of these three cases is still unexplained, and it's unclear whether the records were stolen or simply mishandled. Moreover, the information on the files doesn't appear to have been misused by identity thievesyet. But although little harm appears to have been done by these episodes, they were nonetheless particularly disturbing, because the culprit in each case was Iron Mountain Inc., a Boston-based records-management company that has built a reputation as the premier protector of essential corporate assets.

A mushroom farmer named Herman Knaust founded Iron Mountain Atomic Storage Corp. in 1951, when he converted a depleted iron ore mine in Livingston, N.Y., into the world's first underground hideaway hardened against even a nuclear incursion. The company's initial customers were 150 executives from Fortune 500 companies who wanted a safe haven from a Soviet attack. Over the past half-century, Iron Mountain has trucked untold amounts of paper, film, computer media, medical files and X-rays into its half-dozen secret subterranean sites and other facilities, making it the No. 1 guardian of sensitive corporate data, with $1.8 billion in annual sales.

Indeed, Iron Mountain has been so quietly and consistently competent that since going public nearly a decade ago, its stock has increased almost 600 percentsix times better than the S&P 500 Index.

So when Iron Mountain admitted that it, like numerous other financial services, information and data collection firms, had misplaced data it was supposed to protect, the news was, for many, the most tangible evidence that something had gone seriously and systemically wrong with the way companies were handling confidential information. If Iron Mountain can't safeguard sensitive data, information experts believe, then nothing is safe.

"It's not totally Iron Mountain's fault," says Jim Hughes, a senior fellow at computer storage company StorageTek, which is working with global industries on data security encryption standards. "You have to wonder why these companies didn't encrypt the data before they shipped it. But whoever was at fault, these incidents took place at a company that specializes in protecting information.

That's enough to drive home the fact that although companies have a responsibility to protect their own private information, very few are."

Iron Mountain claims that these foul-ups are anomalies. According to a company statement, "Iron Mountain performs upward of five million pick-ups and deliveries of backup tapes each year, with greater than 99.999 percent reliability."

But not everyone was buying it. By mid-June the company's once high-flying stock, buffeted by negative publicity, had dropped to about $28, 20 percent below its 52-week high, though it has since rebounded to $34.

Story Guide: High Stakes, Few Solutions: Anomalous or not, high-profile data breaches put pressure on CIOs to secure sensitive information; how to do it is far from clear.

Risky Business: It's hard to do business at all without complete, centralized customer data, but customers are increasingly wary and vindictive about abuses.

Security by Design: New legislation will change the environment every bit as much as SOX; will it be enough?

Risky Business

Companies pay a steep price for mishandling sensitive datain declining market capitalization, reduced profits and damaged reputations. ChoicePoint, which maintains as many as 19 billion data files that trace the financial, insurance and demographic backgrounds of nearly every adult in the U.S., took a charge of $11.4 million in the first and second quarters of this year in order to cover both the cost of notifying consumers that their private information had been stolen, as well as legal fees related to the incident.

This lowered ChoicePoint's operating earnings by almost 9 percent in the first half of the year.

Still, for most consumers, such financial penalties offer little consolation. What people really want is for companies to alter their behavior.

Admittedly, most consumers like the benefits of databases: quicker turnarounds on loan and credit applications, the convenience of shopping on the Web, greater accuracy of medical records, and finely filtered recommendations from e-commerce sites, to name a few.

Yet surveys indicate that these pluses are beginning to be outweighed by the dread of identity theft and data scams, not to mention spam and unwanted direct marketing, all of which are the result of a growing laxity toward safeguarding confidential data.

According to a May 2005 survey of 1,003 U.S. voters, conducted by the Cyber Security Industry Alliance (CSIA), a trade organization representing companies that make security products, 97 percent of respondents rate identity theft as a serious problem and are fearful of their personal information being stolen; 48 percent said they avoid making purchases on the Internet because they are afraid their financial information isn't safe, and 71 percent believe new laws are needed to protect consumer privacy.

"Companies have been in a state of denial about protecting datathey've held off federal regulation by promising to self-police, and instead they've done nothing," says Ray Ricks, former chief of privacy standards, security planning and global fraud investigations at Citibank, and founder of eCenturion LLC, a maker of network protection software based in Huntington Beach, Calif.

"Many companies have a budget that says, 'This is what we forecast will be our financial losses from data losses and identity theft and the like,' and then manage to that number," Ricks says. "As long as they don't go beyond that budget, data protection is not a priority."

Odds are, companies won't have that option much longer. As a result of the rash of data incidents and the subsequent consumer backlash, U.S. lawmakers are taking the strongest steps yet to replace the generally unregulated data environment with strict mandates for how individual privacy and confidential information must be protected.

The most far-reaching legislation is the Personal Data Privacy and Security Act of 2005, cosponsored by Republican Senator Arlen Specter, chairman of the Judiciary Committee, and Senator Patrick Leahy, the committee's ranking Democrat.

If this bill passes in anything like its current form, as it's expected to either late this year or early in 2006, it could affect companies in much the same way as the Sarbanes-Oxley Act has. The bill would require new and sometimes expensive procedures and systems to protect confidential data, just as Sarbanes-Oxley does in the realm of accurate financial and accounting disclosure.

And while the price tag to safeguard private information will not be as high as it was to rejigger accounting systems, the change in the way companies operate could be just as radical.

"Reforms like these are long overdue," Senator Leahy says. "Insecure databases are now low-hanging fruit for hackers looking to steal identities and commit fraud. [The Specter-Leahy bill] provides tough monetary and criminal penalties for compromising personal data or failing to provide necessary protections. This creates an incentive for companies to protect personal information."

Story Guide: High Stakes, Few Solutions: Anomalous or not, high-profile data breaches put pressure on CIOs to secure sensitive information; how to do it is far from clear.

Risky Business: It's hard to do business at all without complete, centralized customer data, but customers are increasingly wary and vindictive about abuses.

Security by Design: New legislation will change the environment every bit as much as SOX; will it be enough?

Security by Design

Businesses are paying the closest attention to Title IV of the bill. This section requires that companies involved in interstate commerce, and that have at least 10,000 files on individuals in digital form, design a data security program that ensures confidentiality of sensitive records and protects against unauthorized access and use of personally identifiable information.

Such companies must publish their data privacy procedures and regularly conduct tests to assess system vulnerabilities. Businesses that violate these rules could face fines and government prosecution.

There has been a lot of discussion already about Title IV among company executives and security experts, and, although Specter-Leahy doesn't list specific steps that must be taken, a picture has gradually emerged of what an acceptable data privacy system might look like under the legislation.

This informal blueprint, while useful, only serves to highlight the lax stance most businesses have taken toward data security: Few companies have adoptedor even considered adoptingthe full range of privacy measures that security experts believe would satisfy Specter-Leahy regulations.

This means that after years of neglect, increased spending on data security will likely become a staple of IT budgets for the foreseeable future.

"More companies are starting to evaluate the risk to their operations and financial performance from neglecting to protect sensitive information," says Paul Kurtz, executive director of the CSIA. "They don't want their names plastered on the front page of the newspaper, or to be prosecuted for failing to live up to the standards federal and state governments are demanding they adopt to protect consumers. They know that wouldn't be good for business."

The minimum requirement for meeting Specter-Leahy benchmarks is a data encryption program, according to security experts. The federal government and U.S. companies have bickered for years over what level of encoding corporations should be allowed to use in order not to run afoul of national security guidelines.

Now, 128-bit encryption systems have emerged as a standard that can adequately protect company data from hackers and other information thieves, while still giving intelligence agencies the confidence that they could crack the code if they needed to. But although encryption programs are not particularly expensive to implementeven a large company with a lot of data wouldn't have to pay more than $100,000 or so to adopt such a systema mere 7 percent of companies encrypt information when it is backed up to tape, according to storage industry researchers Enterprise Strategy Group.

Encryption not only protects a company's secrets from prying eyes, it also potentially shields the organization from expensive litigation, penalties and damage to its reputation. A central component of Specter-Leahy is a section modeled after the two-year-old California Data Privacy Act, which has since been mirrored by seven other states.

The law compelled companies to disclose data losses and thefts involving residents of the state, and, as eCenturion's Ricks puts it, "forced the bubble of gas to the surface and exposed how badly managed private information really is." Under Specter-Leahy, companies would be required to reveal all data breaches, immediately, through public statements and letters to everyone whose personal information had been put at risk.

Story Guide: High Stakes, Few Solutions: Anomalous or not, high-profile data breaches put pressure on CIOs to secure sensitive information; how to do it is far from clear.

Risky Business: It's hard to do business at all without complete, centralized customer data, but customers are increasingly wary and vindictive about abuses.

Security by Design: New legislation will change the environment every bit as much as SOX; will it be enough?

Semi

-Secure From Litigation">

But there is one exception to this rule in both the California law and the Specter-Leahy bill: Companies that have used encryption to make sensitive information unreadable to information thieves need not report data thefts to consumers. The idea of using data encryption as a safe harbor has received mixed reactions from security experts, but, overall, they believe that it at least gives companies a clear incentive to live up to the goals of the legislation.

In fact, in large part because of the California law, Addison, Texas-based Credant Technologies has seen a surge in sales of its mobile encryption software, from 700,000 licenses in the first quarter of 2005 to 1.2 million licenses in the second quarter.

"Encryption is an important and elegant approach to data protectionit's absolutely essentialbut it still must be part of a holistic data protection system," says CSIA's Kurtz. "I don't want to think that companies will believe they've done enough because the law lets them off the hook if they encrypt."

Kurtz says he would prefer that the legislation call for third-party certification of data protection programs as the mechanism that would trigger the safe harbor. Privacy auditing firms could conduct these assessments and produce reports detailing the areas in which companies have met the highest information security standards and in what ways they could improve.

"With this approach," Kurtz adds, "it may be possible to drive insurance companies to underwrite policies that cover losses for data security breaches because they would have real data that could help them determine risk."

Most companies believe that because they have antivirus software on their network, and have installed a firewall, they've sufficiently protected sensitive information. But that's a false sense of security. Poorly configured firewallsthe norm at most companies, according to security expertsprovide at most 1 percent of the filtering required to keep out hackers, viruses, worms and other intruders. The problem, often enough, is that CEOs and CIOs relegate data protection to low-level staffers who may have taken a course given by, say, Microsoft Corp. about information security, but who don't have the credentials necessary to handle such an important aspect of a company's operation.

Feds Flunk Security 101 In the first major study of government agencies, the GAO finds "pervasive weakness" in information-security at 24 major U.S. agencies.

For that reason, it's little wonder that two-thirds of companies surveyed by Enterprise Strategy Group this year were victims of Internet worms.

One way to protect networks is by installing intrusion protection software. Essentially, this software monitors networks for areas that are unprotected, and temporarily closes these vulnerabilities when companies are unable to keep up with the required security patch updates necessary to solidify firewalls. A better option, though, is a full-fledged network security program that creates a shield around every link and node on the network, watches the activity of every user, and monitors for break-ins or attempts to steal information.

None of this, however, is useful if unauthorized people can easily gain access to corporate data (see "The Customer Did It," page 44). As a result, experts have identified vastly improved authentication of individuals, before allowing them to view or download information, as another essential aspect of a data security program that would meet the requirements of Specter-Leahy.

"Passwords are a lousy way to protect consumers," says Chris Voice, vice president of technology at Entrust, an Addison, Texas-based encryption company. "At an ATM, you have to have a debit card or you can't access the system. That's more than a password. So why do we guard credit data, health records and other sensitive data behind only a password on the Web, or in most corporate networks?"

A variety of techniques have been suggested to help authenticate people, including so-called tokens that are plugged into a USB port of a computer or a socket in a kiosk-based machine, as well as numeric grids on which people would type assigned numbers before their user name and password.

All of these add cost to database transactions, however, and some inconvenience for customers.

Yet as the government moves closer to regulating data environments, companies should view less permeable authorization techniques as "necessary and inevitable, because consumers are under relentless assault by fraudsters and identity thieves," says Jonathan Penn, an analyst at Forrester Research Inc.

Story Guide: High Stakes, Few Solutions: Anomalous or not, high-profile data breaches put pressure on CIOs to secure sensitive information; how to do it is far from clear.

Risky Business: It's hard to do business at all without complete, centralized customer data, but customers are increasingly wary and vindictive about abuses.

Security by Design: New legislation will change the environment every bit as much as SOX; will it be enough?

Privacy in Action

How will companies actually respond if the Specter-Leahy bill, or something similar, is enacted into law? Two pieces of earlier legislation that mandated data protection systems for specific industries hold a clue. Both the Health Insurance Portability and Accountability Act of 1996 (better known as HIPAA), and the Gramm-Leach-Bliley Act of 1999, require healthcare providers and financial services firms, respectively, to implement privacy controls covering all their sensitive customer information over a period of time.

Before HIPAA, Oklahoma City-based Integris Health Inc., which manages 12 hospitals across the state, had no data security staff, and it relegated privacy protection to the information technology department.

No surprise, then, that anyone who worked at Integrisfrom physicians to orderlies, theoreticallyhad virtually free access to databases through poorly protected network accounts. But in 2001, Integris created a security group that has since designed a system that protects sensitive data, audits and approves access to systems containing patient records, uses biometrics to authenticate valid users (such as an ICU nurse taking care of a cardiac patient), guards against network intruders, and manages the downloading of information to mobile devices.

This has been an ambitious project, costing upward of $1 million. It would never have been undertaken had HIPAA not forced Integris to focus on data protection, says Randy Maib, the hospital chain's senior IT consultant. But now that the company has invested in privacy, Maib says, there is a clear change of heart. What was once less than an afterthought is now considered critical to Integris's performance.

"There was a study done by a university that said a company could see over a 5 percent decrease in profits if confidential information is accidentally disclosed," says Maib. "Healthcare is such a competitive environment that the potential loss is probably more than that. We may not have understood it well before, but now we know that we can't afford to ignore the level of privacy people expect of us."

Consumers can only hope that other companies get the same religioneither before, or after, the federal government forces them to.

Consumer Protection

Over the past three decades, Congress has passed a patchwork of laws designed to protector invadeprivacy. The results have been decidedly mixed, as the ongoing problems with lost or incorrect data and increased identity theft demonstrate.

1970

Fair Credit Reporting Act

1974

The Privacy Act

1986

Electronic Communications Act

What it does: Allows consumers to view their credit reports and correct mistakes; limits access to consumer files to lenders, employers, landlords and anyone with a permissible business purpose.

What precipitated it: An avalanche of consumer complaints about inaccurate credit reports that had hindered their ability to obtain loans, buy a house, or even get a job, with no recourse to fix errors.

Comment: A notable first step to reining in the credit bureaus. Recent legislation improved on the FCRA by giving consumers the right to obtain one free credit report a year. But credit reports are still rife with errors, and the bureaus have been too lax about protecting files.

What it does: Requires federal agencies to inform people, at the time the agencies are collecting information about them, why this information is being collected and how it will be used; forbids agencies, without consent, from disclosing a person's records to anyone but that individual.

What precipitated it: Illegal surveillance of individuals, and surreptitious keeping of files by government agencies, exposed during the Watergate scandal.

Comment: The law has by and large curbed government privacy abuses and made agencies more transparent.

What it does: Attempts to extend to electronic communications, such as e-mail, the same protections from surveillance as oral and telephone-based communications.

What precipitated it: Fears that electronic communications were not covered by existing wiretap laws and, thus, could be accessed by authorities without judicial warrants or subpoenas.

Comment: A series of loopholes allow online services, ISPs and law enforcement to eavesdrop on electronic communications without first getting a court order.

U.S.A. Patriot Act (full name is Uniting and Strenghtening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism)

What it does: Mandates that consumers have access to their own medical records; requires healthcare providers to notify consumers about their privacy practices; compels healthcare providers to design systems to protect medical records from unauthorized individuals.

What precipitated it: Concern that the advent of electronic files left patient records, which had no legal privacy protection, more vulnerable to being intercepted by unauthorized individuals.

Comment: Offers minimal privacy protection. Even with HIPAA, most patients feel powerless to question the data policies of their healthcare providersthus giving the providers carte blanche to set up any procedures they choose. Meanwhile, private patient information can be used for marketing without consumer consent.

What it does: Calls for financial institutions to inform consumers about the information they collect about them, how it is used and how they can stop it from being sold; mandates that firms develop policies to prevent fraudulent access to data.

What precipitated it: An outbreak of identity theft, and worries that industry consolidation would encourage mega-financial firms to pass consumer files freely from one department to another.

Comment: To keep personal information from being sold to third parties or shared internally, consumers must opt outa right they are generally unaware of and that is usually offered in the small print. In addition, financial services firms have generally been lax about implementing security systems and have failed to stem identity theft.

What it does: Allows search of business and financial records, library history, bookstore purchases and the like pertaining to foreign intelligence suspects; permits eavesdropping on the Internet if an ISP agrees; authorizes the use of a single search warrant to snoop on a suspect's communications via land lines, mobile phone, the Web or any other means.

Comment: The bill has eliminated the walls that impeded law enforcement agencies from sharing information during terrorist investigations. Opponents believe it gives the government excessively wide-ranging rights to eavesdrop with little judicial oversight. So far, there have been no reported cases of privacy breaches as a result of the Patriot Act.

Story Guide: High Stakes, Few Solutions: Anomalous or not, high-profile data breaches put pressure on CIOs to secure sensitive information; how to do it is far from clear.

Risky Business: It's hard to do business at all without complete, centralized customer data, but customers are increasingly wary and vindictive about abuses.

Security by Design: New legislation will change the environment every bit as much as SOX; will it be enough?